[
https://issues.apache.org/jira/browse/RANGER-406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15467828#comment-15467828
]
Nigel Jones commented on RANGER-406:
------------------------------------
I think this is a good point -- currently the typical actions are
- permit/deny
- filter
- mask
However there are a number of other "governance" related actions that
ranger+plugins could (and should) support
- Audit logging only (in this case if a policy is not satisfied)
- recording usage information for metering (ie cloud services)
- perform validation on write/updates (based on values supplied ie meeting
policy)
- altering a request, for example automatically adding context to be written
during an update or lookup up a code against reference data
- forcing encryption of data to be written
- Initiating an asynchronous action (for further checks, fraud, remediation
perhaps through a human or automated workflow) since not every check can be
completed synchronously
Further I think that as per RANGER-1168 this should be done for tag based
policies as well as those that are resource based.
technically a plugin could do all of these today, but more clarity/consistency
in UI, docs & perhaps the server/plugins could help (I'm not yet familar enough
with the code structure ??)
> Policy manager should support a way to just ask for auditability instead of
> access (and auditability).
> ------------------------------------------------------------------------------------------------------
>
> Key: RANGER-406
> URL: https://issues.apache.org/jira/browse/RANGER-406
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Reporter: Alok Lal
>
> For some cases like Hbase where superusers are exempt from access validation
> getting a lightweight way to just check for auditability would be beneficial
> and performant.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
